As a publisher, I want SSC creation gated on consent so non-consenting users are not tracked

[ChristianPavilonis]

User story

As a publisher, I want the system to check TCF (EU/UK) and GPP (US) consent flags before creating a Synthetic Session Cookie, so that my site complies with GDPR opt-in and US state privacy opt-out requirements.

Acceptance criteria

• EU/UK user without opt-in consent → SSC is not created
• US user who has opted out → SSC is not created
• No cookie present and no consent given → do nothing (no SSC, no cookie set)
• Consent decision is based on decoded TCF/GPP strings

Affected area

Core (synthetic IDs, cookies, GDPR), Fastly runtime

Proposed approach

Before the SSC creation path, add a consent check that:

1. Reads the decoded consent result (from TCF/GPP decoding).
2. Determines jurisdiction (EU/UK vs US) from the consent signal type.
3. For EU/UK (TCF): requires explicit opt-in — block SSC if consent is not granted.
4. For US (GPP): checks opt-out — block SSC if user has opted out.
5. If no consent string is present, treat as no-consent and do not create SSC.

Additional context

Sub-issue of #54. Related to #312, PR #380.